WP-GraphQL < 0.3.5 - Improper Access Control

Vulnerability

CVE-2019-25060 affects the WPGraphQL WordPress plugin in versions prior to 0.3.5 [1][4]. The plugin fails to properly restrict access to the roles field on user objects in its GraphQL schema. Because the plugin does not enforce the list_users capability check before resolving role information for other users, an unauthenticated attacker can craft a GraphQL query to retrieve the account roles of every user on the site [1][3].

Exploitation

An attacker does not need any prior authentication or privileged access. By sending a crafted GraphQL query to the /graphql endpoint that queries the users connection and requests the roles field for each user, the attacker enumerates the role names assigned to every WordPress user account [1][4]. No special network position is required beyond the ability to reach the WordPress site's GraphQL endpoint.

Impact

Successful exploitation allows the attacker to learn the role assignments of all users on the WordPress site. While the vulnerability does not expose passwords or allow direct modification of data, it leaks sensitive information about the site's user privileges (e.g., which accounts have Administrator, Editor, or other roles). This information can be used to plan further targeted attacks against high-privilege accounts [1][4].

Mitigation

The vulnerability is fixed in version 0.3.5 of the WPGraphQL plugin [4]. The fix, implemented in pull request #900, enforces the list_users capability check so that unauthenticated users cannot access other users' role information [3]. Users should update to version 0.3.5 or later immediately. No workaround is documented for older versions; updating is the recommended mitigation [4].